Overview

overview

10

Static

static

d93befb933...49.exe

windows7_x64

10

d93befb933...49.exe

windows10_x64

10

Analysis

  • max time kernel
    63s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    07-07-2021 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d93befb933caaf737d83b0aee9577449.exe

  • Size

    3.2MB

  • MD5

    d93befb933caaf737d83b0aee9577449

  • SHA1

    2524f6afd33f0b787db7251d78c4ef5b7961913a

  • SHA256

    9dc2aee4b65b09658a4412e9cd10aaf655faeb9b5500241455c0183150581e1e

  • SHA512

    8c437345af6ce2f2d37068c2fd23dc52659223dcdbe1c982ce1a4acc991c1f969c21a8d176b3327bc47c4b542ad9333dcc7f6d660c48b6bd4ef3e994e3277e12

Score
10/10
vidar950discoveryevasionspywarestealer

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

950

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    950

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 1 IoCs
    stealer
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d93befb933caaf737d83b0aee9577449.exe
    "C:\Users\Admin\AppData\Local\Temp\d93befb933caaf737d83b0aee9577449.exe"
    1⤵
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im d93befb933caaf737d83b0aee9577449.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\d93befb933caaf737d83b0aee9577449.exe" & del C:\ProgramData\*.dll & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im d93befb933caaf737d83b0aee9577449.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3948
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 6
        3⤵
        • Delays execution with timeout.exe
        PID:392

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4016-123-0x0000000004810000-0x0000000004811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-121-0x00000000047F0000-0x00000000047F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-122-0x0000000004840000-0x0000000004841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-128-0x00000000047B0000-0x00000000047B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-129-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-130-0x00000000047D0000-0x00000000047D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-124-0x0000000004830000-0x0000000004831000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-114-0x0000000077DD0000-0x0000000077F5E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4016-125-0x0000000000400000-0x000000000076F000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4016-120-0x0000000004870000-0x0000000004871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-119-0x0000000004860000-0x0000000004861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-118-0x0000000004800000-0x0000000004801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-117-0x0000000004850000-0x0000000004851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-116-0x00000000047C0000-0x00000000047C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4016-115-0x0000000004820000-0x0000000004821000-memory.dmp

    Filesize

    4KB

    Download